Solved: IAM & SAP GRC Access Control Integration

former_member218247 · ‎2019 Sep 10

Hi Experts

Currently i am working on a design of a project to Integrate IAM - SAP GRC Access Control 10.1 for SAP User provisioning & SoD Compliance Check.

Business Scenario

a . User raises SAP request in IAM and after the Manager approval in IAM request flows to GRC AC for SOD check.

b. In case of SOD violations , Access request in GRC AC flows to Role Approver for approval and then subsequently after Role Approver approval to GRC team for mitigation.

c. Once the risk is mitigated , Request flows back to IAM and the access gets provisioned to SAP Box.

I have some BUILD specific questions related to Role Management under IAM - SAP GRC AC integration and I hope to seek your answers

1. Please do let me know if it is possible to have just one repository (IAM ) for Business Role Management . Preferably in IAM and the Business & Technical roles get synced to SAP GRC BRM via a automated job. This is needed to maintain one Role repository instead of maintaining in both IAM and SAP Access Control.

2. In case of above possibility , please let know can the Role Approvers be synced from IAM to SAP GRC BRM as Role Approver approval takes place in GRC AC or do we need to maintain Role Approvers manually in SAP GRC BRM for each role.

Appreciate your help here.Do let me know in case of further details needed.

Thanks for your help in advance.

Thanks

Nitesh

vijayakumarsuth · ‎2019 Sep 13

Hi Nitesh,

You need to utilize the webservice provided by GRC Access Control to achieve your goals because if you need to integrate with any non-SAP system then this is the only option.

In your scenario, you can still keep the roles in your IAM system and can reach to GRC for workflow and SOD activity but you need to maintain role owner at workflow side through brf+ which might help you to achieve your goals. Remember you still need to sync data from IAM to GRC

former_member218247 · ‎2019 Sep 11

Thanks everyone for the reply.

In case of any more queries one will open a new post

RameshVithanala · ‎2019 Sep 10

Hi Nitesh,

SAP IDM 8.0 SP06 and GRC 12.0 has the capability to integrate the Business Role(Unified Business Role Management)

Thanks

Ramesh

former_member612251 · ‎2019 Sep 10

Hi Nitesh,

You want to store your SAP roles in a centralized IAM product? I wouldn't go this route. I would use BRM for what it is meant to do, BRM should be your repository. I have worked on similar designs to this, which is not really advised but if that's the requirement then you can sync the role request, for example, if you are using something like Service Now to request roles, you could send this role name to GRC, GRC could read the role names and then you use ARA for risk analysis, ARM and BRM.

There are many ways you could do this, LDAP from AD for one? I would strongly advise you to stick to standard where possible and always be sure of your single source of truth for your master data.

former_member218247 · ‎2019 Sep 10

Dear Colleen

Many thanks for your reply.

Currently IAM product is not decided.

From the perspective of standardization & design , we are considering IAM product as the role repository and which syncs the role & role owner to GRC BRM product.

Is this possible of syncing roles from IAM product to GRC BRM for Role assignment approval workflow?

Thanks

Nitesh

Colleen · ‎2019 Sep 10

Hi Nitesh

What IAM product are your referring to?

Have you considered BRM as the repository that syncs the roles to the IAM product? Role Owners are then stored in BRM and can be used in workflow. If not, you can always configure custom agent rules to determine the approval (which would be a call out to the IAM solution if data is not held locally).

IAM & SAP GRC Access Control Integration

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (5)

Answers (5)